Fake Google Play App Uses Infected Phone to Launch DDoS
This malware installs as Google Play and even lets infected users browse Google's storefront while secretly sending and receiving commands from malware authors.
Russian anti-virus vendor Doctor Web (Dr. Web) is now warning Android device customers about a recently discovered app that can unknowingly turn a smartphone into a platform for launching DDoS attacks.
Although the security firm didn't reveal the actual listed name of the malicious app, it's called "Android.DDoS.1.origin" in the report, and is based out of Russia. Once the app in question is downloaded and installed on an Android smartphone, it's disguised as the Google Play icon. It even connects the user to Google's virtual storefront when launched.
But as Android users browse the virtual isles of Google Play, the app secretly connects to its command and control server and uploads the infected device's phone number to the malware authors. These hackers in turn issue commands to the fake Google Play app using text messages.
"Supported directives include attack a specified server and send SMS. If criminals want the Trojan to attack a server, a command message will contain the parameter [server:port]," the firm reports.
If the app receives a command to attack a server, it will then begin flooding a specific address with data packets. If the malicious app is required to send SMS messages instead, the command message will contain both the message text and the number of a specific destination.
"Activities of the Trojan can lower performance of the infected handset and affect the well-being of its owner, as access to the Internet and SMS are chargeable services," the firm said. "Should the device send messages to premium numbers, malicious activities will cost the user even more."
Dr. Web is still trying to determine how this malware is being spread, but there's no indication that it's residing on Google Play as suggested by other reports. It's likely offered on 3rd-party Android markets meant for devices that don't provide Google-based services like Google Play and Gmail. The firm said criminals are likely employing "social engineering tricks" in addition to disguising the malware as a legitimate application from Google.
"It is worth noting that the code of Android.DDoS.1.origin is heavily obfuscated," the security firm said. "Given that the Trojan can carry out attacks on web sites and send various text messages to any number, including those of content providers, we can assume that the malware can also be used to conduct illegal activities for third parties (e.g, attack a competitor's site, promote products with SMS or subscribe users to chargeable services by sending SMS to short numbers)."
This new Android malware is still under investigation, so stay tuned.